VYATTA - Lak priručnik - Proučavanje slučaja 8 - IPSec

Vyatta Proučavanje slučaja 8 - IPSec
Zadnje osvježenje: Mar 18 2008


Tool
Install
Ergonomy
Forum



Pojedinosti Što je Vyatta?
Prikazi_zaslona
Preduvjeti
Priručnik Vyatta-e
Vyatta & Cisco naredbe
Vyatta/Cisco/Quagga usporedba (Quagga dio)
Proučavanje slučaja 1 - Statične rute (VC 2.0)
Proučavanje slučaja 2 - OSPF jednostavno (VC 2.0)
Proučavanje slučaja 3 - OSPF napredno (VC 2.0)
Proučavanje slučaja 4 - BGP (VC 3.0)
Proučavanje slučaja 5 - VRRP (VC 2.2)
Proučavanje slučaja 6 - NAT (VC 2.0)
Proučavanje slučaja 7 - DHCP (VC 2.2)
Proučavanje slučaja 8 - IPSec (VC 2.2)
Proučavanje slučaja 9 - Paketi (VC 3.0)
Proučavanje slučaja 10 - Premoštenja (VC 3.0)
Proučavanje slučaja 11 - CDP (VC 3.0)

Croatian translation by Oliver Mucafir .



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!



1. NAČELAN SLUČAJ 2. SLIKA 3. POSTAVKE 4. PRIKAZ NAREDBI


1. NAČELAN SLUČAJ

Korištena verzija Vyatte: VC 2.2 30. rujna 2007.
Cilj ovih uputstava je stvaranje sigurnog tunela između Vyatta i Cisco routera pomoću IPSec protokola.
IPSec je skup Layer 3 protokola uobičajeno korištenih za stvaranje Virtualnih Privatnih Mreža (VPN) preko nesigurnih mreža kao što je internet.
Da bi pružila IPSec funkcionalnosti, Vyatta ima integrirani OpenSwan koji je slobodan alat otvorenog koda za stvaranje IPSec tunela on Linux platformama.

Ovdje ćemo se ograničiti da bi dali neke ključne kocepte o IPSec i VPN-ovima.

IPSec:

IPSec može biti komponiran od jednog ili oba sljedeća layer 3 protokola:
ESP (IP protokol 50, RFC 2406) i AH (IP protokol 51, RFC 2402). ESP može se koristiti za cjelovitost i pouzdanost a AH samo za integritet.

Dva protokola koja su blisko povezana s IPSec: ISAKMP (RFC 2408) i IKE (RFC 2409). ISAKMP (Internet Security Association and Key Management Protocol) koriste se za uspostavu sigurnih veza a IKE (Internet Key Exchange) za automatski key exchange management putem UDP porta 500.

Samo predefinirani promet, nazvan “interesting traffic”, može dignuti IPSec tunel.

VPN-ovi:

Uzet u obzir kao VPN, tunel mora poštovati sljedeća načela:

- Pouzdanosti ili privatnosti: Podaci ne mogu biti u čitljivom formatu.
- Cjelovitost: Podaci se ne mogu mijenjati.
- Provjera vjerodostojnosti: VPN gateway-i su nedvojbeno sigurni o identitetu drugog.

O načelnom slučaju:

Loopback (ili virtualne) adrese načinjene su na Cisco A i Vyatta routerima. IPSec tunel bit će otvoren samo kada promet teče od loopback adrese routera prema drugoj loopback adresi routera.
Vidi dalje pojedinosti o toma kako dignuti tunel.

Važna napomena: Vyatta podržava samo ESP ali ne i AH.


2. SLIKA

  vyatta cisco case study IPSec Testirane funkcionalnosti:

(klikni na web poveznicu za više pojedinosti o protokolu)

Postavke sučelja
IPSec
IKE

 


3. CONFIGURAZIONE

VYATTA ROUTER VC2.2 Aug 30, 2007
Vidi cjelovita podešenja
 
CISCO ROUTER A 2621 IOS: 12.2(46a)
Vidi cjelovita podešenja
 
edit interfaces ethernet eth0
  set address 100.0.0.1 prefix-length 24
 
interface FastEthernet0/1
  ip address 50.0.0.1 255.255.255.0
  crypto map m1
edit interfaces loopback lo
  set address 10.200.1.1 prefix-length 24
interface Loopback 1
  ip address 10.250.1.1 255.255.255.255
set system host-name Vyatta hostname Cisco-routerA
set service telnet
 
line vty 0 4
  no login
edit system login user vyatta
  set authentification plaintext-password
   password
enable secret password
 
set vpn ipsec
edit vpn ipsec
  set ipsec-interfaces
  edit ipsec-interfaces
    set interface eth0

  set ike-group IKE
  edit ike-group IKE
    set lifetime 7200
  set ike-group IKE proposal 1
  edit ike-group IKE proposal 1
      set encryption 3des
      set hash md5
      set dh-group 2
 
  set esp-group ESP
  edit esp-group ESP
    set lifetime 1800
  set esp-group ESP proposal 1
  edit esp-group ESP proposal 1
      set encryption 3des
      set hash md5

  set site-to-site
  edit site-to-site
    set peer 50.0.0.1
    edit peer 50.0.0.1
    set authentification pre-shared-secret
     teddy
    set ike-group IKE
    set local-ip 100.0.0.1
    set tunnel 1
    edit tunnel 1
      set local-subnet 10.200.0.0/16
      set remote-subnet 10.250.0.0/16
      set esp-group ESP
crypto isakmp policy 1
  encr 3des
  hash md5
  authentification pre-share
  group 2
  lifetime 7200
crypto isakmp key teddy address 100.0.0.1

crypto ipsec transform-set t1 esp-3des
 esp-md5-hmac
crypto ipsec security-association lifetime
 seconds 1800

crypto map m1 110 ipsec-isakmp
  set peer 100.0.0.1
  set transform-set t1
  match address 111

access-list 111 permit ip 10.250.0.0
 0.0.255.255 10.200.0.0 0.0.255.255

set protocols static route 50.0.0.1/32
 next-hop 100.0.0.2
 
ip route 100.0.0.1 255.255.255.255 50.0.0.2

ip route 10.200.1.1 255.255.255.255 100.0.0.1
CISCO ROUTER B 2621 IOS: 12.2(23a)
Vidi cjelovita podešenja
 
interface FastEthernet0/0
  ip address 100.0.0.2 255.255.255.0
interface FastEthernet0/1
  ip address 50.0.0.2 255.255.255.0
hostname Cisco-routerB
line vty 0 4
  no login
enable secret password
 
Vrh stranice


4. PRIKAZ NAREDBI:

DIZANJE IPSEC TUNELA:

Interesting traffic je definiran kako slijedi:

Na Cisco routeru: IP izvor: 10.250.0.0/16 ; IP odredište: 10.200.0.0/16
   access-list 111 permit ip 10.250.0.0 0.0.255.255 10.200.0.0 0.0.255.255

Na Vyatta routeru: IP izvor: 10.200.0.0/16 ; IP odredište: 10.250.0.0/16
   set local-subnet 10.200.0.0/16
   set remote-subnet 10.250.0.0/16


Za dizanje IPSec tunela paketi izvorišnih i odredišnih IP adresa moraju biti unutar okvira definiranim Vyatta ili Cisco routerima.

Koristimo naredbu ping da bi stvorili promet usklađen uvjetima koji su definirani Vyatta ili Cisco routerima. Izvorišna IP adresa mora biti određena u ping naredbi, inače izvorišna IP adresa prihvaća izlaznu IP adresu fizičkog sučelja.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: Indirizzo IP sorgente specificato
-c: Numero di pacchetti inviati

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
IKE

Cisco-RouterA#show crypto isakmp policy

Protection suite of priority 1
  encryption algorithm: Three key triple DES
  hash algorithm: Message Digest 5
  authentication method: Pre-Shared Key
  Diffie-Hellman group: #2 (1024 bit)
  lifetime: 7200 seconds, no volume limit
Default protection suite
  encryption algorithm: DES - Data Encryption Standard (56 bit keys).
  hash algorithm: Secure Hash Standard
  authentication method: Rivest-Shamir-Adleman Signature
  Diffie-Hellman group: #1 (768 bit)
  lifetime: 86400 seconds, no volume limit
Cisco-RouterA#show crypto isakmp sa

dst src state conn-id slot
50.0.0.1 100.0.0.1 QM_IDLE 4 0
Cisco-RouterA#show crypto isakmp key

Hostname/Address 100.0.0.1
Preshared Key teddy
Vyatta>show vpn ike status

IKE Process Running

PID: 8366
Vyatta>show vpn ike secrets

Local IP Peer IP Secret
------ ------ ------
100.0.0.1 50.0.0.1 "teddy"
Vyatta>show vpn ike sa

Local IP Peer IP State Encrypt Hash NAT-T A-Time L-Time
-------- ------- ----- ------- ---- ----- ------ ------
100.0.0.1 50.0.0.1 up 3des md5 No 769 7200
IPSEC

Cisco-RouterA#show crypto ipsec transform-set

Transform set t1: { esp-3des esp-md5-hmac }
  will negotiate = { Tunnel, },
Cisco-RouterA#show crypto ipsec security-association-lifetime

Security association lifetime: 4608000 kilobytes/1800 seconds
Cisco-RouterA#show crypto ipsec sa

interface: FastEthernet0/1
    Crypto map tag: m1, local addr. 50.0.0.1
           
  local ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
  current_peer: 100.0.0.1
      PERMIT, flags={origin_is_acl,}
    # pkts encaps: 30, #pkts encrypt: 30, #pkts digest 30
    # pkts decaps: 30, #pkts decrypt: 30, #pkts verify 30
    # pkts compressed: 0, #pkts decompressed: 0
    # pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    # send errors 0, #recv errors 0
           
      local crypto endpt.: 50.0.0.1, remote crypto endpt.: 100.0.0.1
      path mtu 1500, ip mtu 1500, ip mtu interface FastEthernet0/1
      current outbound spi: CA59FF09
           
      inbound esp sas:
        spi: 0xEC0B17CB(3960149963)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2004, flow_id: 5, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      inbound ah sas:
           
      inbound pcp sas:
           
      outbound esp sas:
        spi: 0xCA59FF09(3394895625)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel, }
          slot: 0, conn id: 2005, flow_id: 6, crypto map: m1
          sa timing: remaining key lifetime (k/sec): (4607999/1419)
          IV size: 8 bytes
          replay detection support: Y
           
      outbound ah sas:
           
      outbound pcp sas:
Cisco-RouterA#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
4 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 0
2004 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 0 5
2005 FastEthernet0/1 50.0.0.1 set HMAC_MD5+3DES_56_C 5 0
Vyatta>show vpn ipsec status

IPSec Process Running PID: 8366

IPsec Interfaces:
   eth0 (100.0.0.1)
Vyatta>show vpn ipsec sa

Peer IP Tunnel# Dir SPI Encrypt Hash NAT-T A-TimeL-Time
------- ------- --- --- ------- ---- ------ ------L-Time
50.0.0.1 1 in e834f47b 3des md5 No 1851800
50.0.0.1 1 out 778ed647 3des No 1851800
RUTE:

Cisco-RouterA#show ip route

Gateway of last resort is not set
 
  50.0.0.0/24 is subnetted, 1 subnets
C   50.0.0.0 is directly connected, FastEthernet0/1
  100.0.0.0/32 is subnetted, 1 subnets
S   100.0.0.1 [1/0] via 50.0.0.2
  10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C   10.0.0.0/24 is directly connected, FastEthernet0/0
S   10.200.1.1/32 [1/0] via 100.0.0.1
C   10.250.1.1/32 is directly connected, Loopback1
Vyatta#show route

Routes: 4/4, Paths: 4/4
10.200.1.0/24 [connected(0)] > to 10.200.1.1 via lo
50.0.0.1 [static(1)] > to 100.0.0.2 via eth0
100.0.0.0/24 [connected(0)] > to 100.0.0.1 via eth0
127.0.0.0/8 [connected(0)] > to 127.0.0.1 via lo
Vyatta#show route system forward

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use
Iface
50.0.0.1 100.0.0.2 255.255.255.255 UGH 1 0
0
eth0
100.0.0.0 0.0.0.0 255.255.255.0 U 0 0
0
eth0
10.250.0.0 0.0.0.0 255.255.0.0 U 0 0
0
eth0
ISPRAVLJANJE GREŠKI:

Cisco-RouterA#debug crypto isakmp

ISAKMP (0:0):     received packet from 100.0.0.1 (N) NEW SA
ISAKMP local   port 500, remote port 500
ISAKMP (0:5):   processing SA payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   Checking ISAKMP transform 0 against priority 1 policy
ISAKMP:     life type in seconds
ISAKMP:     life duration (basic) of 7200
ISAKMP:     encryption 3DES-CBC
ISAKMP:     hash MD5
ISAKMP:     auth pre-share
ISAKMP:     default group 2
ISAKMP (0:5):   atts are acceptable. Next payload is 0
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   processing vendor id payload
ISAKMP (0:5):   SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_SA_SETUP
ISAKMP (0:5):   processing KE payload. message ID = 0
ISAKMP (0:5):   processing NONCE payload. message ID = 0
ISAKMP (0:5):   found peer pre-shared key matching 100.0.0.1
ISAKMP (0:5):   SKEYID state generated
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   received packet from 100.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:5):   processing ID payload. message ID = 0
ISAKMP (0:5):   processing HASH payload. message ID = 0
ISAKMP (0:5):   SA has been authenticated with 100.0.0.1
ISAKMP (5): ID payload
  next-payload : 8
  type : 1
  protocol : 17
  port : 500
  length : 8
ISAKMP (5): Total payload length: 12
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   processing HASH payload. message ID = -1931975646
ISAKMP (0:5):   processing SA payload. message ID = -1931975646
ISAKMP (0:5):   Checking IPSec proposal 0
  transform 0, ESP_3DES
    attributes in transform:
      group is 2
      encaps is 1
      SA life type in seconds
      SA life duration (basic) of 1800
      authenticator is HMAC-MD5
ISAKMP (0:5):   atts are acceptable.
ISAKMP (0:5):   processing NONCE payload. message ID = -1931975646
ISAKMP (0:5):   processing KE payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   processing ID payload. message ID = -1931975646
ISAKMP (0:5):   asking for 1 spis from ipsec
  received ke message (2/1)
ISAKMP (0:5):   sending packet to 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   received packet from 100.0.0.1 (R) QM_IDLE
ISAKMP (0:5):   Creating IPSec SAs
  inbound SA from 100.0.0.1 to 50.0.0.1
  (proxy 10.200.0.0 to 10.250.0.0)
  has spi 0xE834F47B and conn_id 2006 and flags 25
  lifetime of 1800 seconds
  outbound SA from 50.0.0.1 to 100.0.0.1 (proxy 10.250.0.0 to 10.200.0.0 )
  has spi 2005849671 and conn_id 2007 and flags 2D
  lifetime of 1800 seconds
Cisco-RouterA#debug crypto ipsec

IPSEC(sa_aging): lifetime expiring,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004,
  (identity) local= 50.0.0.1, remote= 100.0.0.1,
    local_proxy= 10.250.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4)
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 50.0.0.1, sa_prot= 50,
    sa_spi= 0xEC0B17CB(3960149963),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2004
IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 100.0.0.1, sa_prot= 50,
    sa_spi= 0xCA59FF09(3394895625),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2005
Vyatta>show vpn debug

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 10.200.1.1
000 interface eth0/eth0 100.0.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128,keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}trans={0,2,336} attrs={0,2,224}
000
000 "peer-50.0.0.1-tunnel-1":10.200.0.0/16===100.0.0.1...50.0.0.1===10.250.0.0/16; erouted; eroute owner:#2
000 "peer-50.0.0.1-tunnel-1": srcip=unset; dstip=unset; srcup=ipsec_updown; dstup=ipsec _updown;
000 "peer-50.0.0.1-tunnel-1": ike_life: 7200s; ipsec_life: 1800s;rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-50.0.0.1-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,16;interface: eth0;
000 "peer-50.0.0.1-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "peer-50.0.0.1-tunnel-1": IKE algorithms wanted: 5_000-1-2, flags=strict
000 "peer-50.0.0.1-tunnel-1": IKE algorithms found: 5_192-1_128-2,
000 "peer-50.0.0.1-tunnel-1": IKE algorithm newest:3DES_CBC_192-MD5-MODP1024
000 "peer-50.0.0.1-tunnel-1": ESP algorithms wanted: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithms loaded: 3_000-1, flags=strict
000 "peer-50.0.0.1-tunnel-1": ESP algorithm newest: 3DES_0-HMAC_MD5;pfsgroup=
000
000 #2: "peer-50.0.0.1-tunnel-1":500 STATE_QUICK_I2 (sent QI2, IPsec SAestablished); EVENT_SA_REPLACE in 526s; newest IPSEC; eroute owner
000 #2: "peer-50.0.0.1-tunnel-1" esp.e834f47b@50.0.0.1 esp.778ed647@100.0.0.1tun.0@50.0.0.1 tun.0@100.0.0.1
000 #1: "peer-50.0.0.1-tunnel-1":500 STATE_MAIN_I4 (ISAKMP SA established);EVENT_SA_REPLACE in 6418s; newest ISAKMP; nodpd
000
PROVJERE POVEZANOSTI:

Cisco-RouterA i Vyatta routeri moraju biti međusobno dostupni u svojoj WAN adresi.
Cisco-RouterA WAN adresa: 50.0.0.1
Vyatta WAN adresa: 100.0.0.1

Cisco-RouterA#traceroute 100.0.0.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 100.0.0.1 4 msec 0 msec 4 msec
Vyatta>traceroute 50.0.0.1

traceroute to 50.0.0.1 (50.0.0.1), 30 hops max, 40 byte packets
1 100.0.0.2 (100.0.0.2) 1.870 0.872 0.875
2 50.0.0.1 (50.0.0.1) 1.988 * 1.203
   ---------------------------------------------------------------------

Ako jedan IPSec router pokušava ping ili traceroute drugu loopback adresu routera, neće primiti odgovor jer loopback adrese routera nisu routirane na WAN-u.
Traceroute-anje ili the ping-anje neće dignuti tunel ako se njegove izvorišne IP adrese ne podudaraju s uvjetima definiranima IPSec routerima.

Cisco-RouterA#ping 10.200.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
U.U.U

Success rate is 0 percent (0/5)
Vyatta>ping 10.250.1.1 -c 4

PING 10.250.1.1 (10.250.1.1) 56(84) bytes of data.
From 100.0.0.1 icmp_seq=2 Destination Host Unreachable
From 100.0.0.1 icmp_seq=3 Destination Host Unreachable
From 100.0.0.1 icmp_seq=4 Destination Host Unreachable

--- 10.250.1.1 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2999ms, pipe 3
Cisco-RouterA#traceroute 10.200.1.1

Type escape sequence to abort.
Tracing the route to 100.0.0.1

   1 50.0.0.2 0 msec 0 msec 0 msec
   2 50.0.0.2 !H !H *
Vyatta>traceroute 10.250.1.1

traceroute to 10.250.1.1 (10.250.1.1), 30 hops max, 40 byte packets
1 100.0.0.1 (100.0.0.1) 3002.304 ms !H 3003.655 ms !H 3003.975 ms !H
   ---------------------------------------------------------------------

Da bi bili međusobno dostupni na loopback adresi i tako digli IPSec tunel, Vyatta ili Cisco routeri moraju se ping-ati ili traceroute-ati od svojih loopback IP adresa.
Podrazumijevano, izvorišna IP adresa je izlazna IP adresa fizičkog sučelja.

Cisco-RouterA#ping

Protocol [ip]:
Target IP address: 10.200.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.250.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.250.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Vyatta>ping -I 10.200.1.1 -c 4 10.250.1.1

-I: Indirizzo IP sorgente specificato
-c: Numero di pacchetti inviati

PING 10.250.1.1 (10.250.1.1) from 10.200.1.1 : 56(84) bytes of data.
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.53 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.60 ms
64 bytes from 10.250.1.1: icmp_seq=1 ttl=255 time=3.50 ms
64 bytes from 10.250.1.1: icmp_seq=2 ttl=255 time=3.58 ms

--- 10.250.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 3.502/3.557/3.607/0.039 ms
Cisco-RouterA#traceroute

Target IP address: 10.200.1.1
Source address: 10.250.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
MaximumTime to Live [1]:
Port number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.200.1.1

   1 10.200.1.1 4 msec 0 msec 4 msec
Vrh stranice